New Rules
- new: AWS Console GetSigninToken Potential Abuse
- new: Bitbucket Audit Log Configuration Updated
- new: Bitbucket Full Data Export Triggered
- new: Bitbucket Global Permission Changed
- new: Bitbucket Global SSH Settings Changed
- new: Bitbucket Global Secret Scanning Rule Deleted
- new: Bitbucket Project Secret Scanning Allowlist Added
- new: Bitbucket Secret Scanning Exempt Repository Added
- new: Bitbucket Secret Scanning Rule Deleted
- new: Bitbucket Unauthorized Access To A Resource
- new: Bitbucket Unauthorized Full Data Export Triggered
- new: Bitbucket User Details Export Attempt Detected
- new: Bitbucket User Login Failure
- new: Bitbucket User Login Failure Via SSH
- new: Bitbucket User Permissions Export Attempt
- new: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
- new: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
- new: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
- new: DNS Query Request To OneLaunch Update Service
- new: DPRK Threat Actor - C2 Communication DNS Indicators
- new: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
- new: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
- new: Remote Access Tool - ScreenConnect Backstage Mode Anomaly 2
- new: Remote Access Tool - ScreenConnect Remote Execution
- new: Remote Access Tool - ScreenConnect Server Web Shell Execution
- new: Remote Access Tool - Simple Help Execution
- new: ScreenConnect - SlashAndGrab Exploitation Indicators
- new: ScreenConnect User Database Modification
- new: ScreenConnect User Database Modification - Security
- new: Suspicious File Download From IP Via Wget.EXE - Paths
- new: User Added To Highly Privileged Group
Updated Rules
- update: APT User Agent - Add UA used by RedCurl APT
- update: Chafer Malware URL Pattern - Reduce level to high and move to ET folder
- update: Console CodePage Lookup Via CHCP - Increase coverage by adding for the "/" option in commands flags
- update: Curl Download And Execute Combination - Increase coverage by adding for the "/" option in commands flags
- update: File Deletion Via Del - Increase coverage by adding for the "/" option in commands flags
- update: Files And Subdirectories Listing Using Dir - Increase coverage by adding for the "/" option in commands flags
- update: Mshtml.DLL RunHTMLApplication Suspicious Usage - Merge overlapping rules and enhance logic to account for new reported bypass
- update: New Generic Credentials Added Via Cmdkey.EXE - Increase coverage by adding for the "/" option in commands flags
- update: Remote Access Tool - ScreenConnect Installation Execution - Reduce level to medium
- update: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution - Update logic and reduce the level to medium
- update: Remote Access Tool - ScreenConnect Remote Command Execution - Hunting - Move the rule to Hunting
- update: Remote Access Tool - ScreenConnect Remote Command Execution - Reduce level to low
- update: Suspicious Ping/Copy Command Combination - Increase coverage by adding for the "/" option in commands flags
- update: Suspicious PowerShell IEX Execution Patterns - Enhance coverage by adding new "IEX" variant
- update: Suspicious Service Installation Script - Increase coverage by adding for the "/" option in commands flags
- update: Weak or Abused Passwords In CLI - Add additional password seen abused in the wild
Removed / Deprecated Rules
- remove: CobaltStrike Malformed UAs in Malleable Profiles
- remove: CobaltStrike Malleable (OCSP) Profile
- remove: CobaltStrike Malleable Amazon Browsing Traffic Profile
- remove: CobaltStrike Malleable OneDrive Browsing Traffic Profile
- remove: Rundll32 JS RunHTMLApplication Pattern
- remove: Suspicious Rundll32 Script in CommandLine
- remove: iOS Implant URL Pattern
Acknowledgement
Thanks to @clebron23, @faisalusuf, @frack113, @joshnck, @MalGamy, @MATTANDERS0N, @nasbench, @qasimqlf, @RG9n for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.